strapi-plugin-oidc 1.6.2 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +4 -5
  2. package/dist/server/index.js +12 -12
  3. package/dist/server/index.mjs +12 -12
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -119,14 +119,13 @@ Role names are the **display names** shown in **Settings → Roles** (e.g. `"Edi
119
119
  ### Role assignment precedence
120
120
 
121
121
  1. **User's OIDC groups match `OIDC_GROUP_ROLE_MAP`** → use the mapped Strapi roles
122
- 2. **No group match or no mapping configured** → use the default OIDC roles
122
+ 2. **No group match or no mapping configured** → use the default OIDC roles (new users only — see below)
123
123
 
124
124
  ### Role updates on subsequent logins
125
125
 
126
- - **New users** — OIDC roles are always assigned on first login.
127
- - **Existing users with manually unchanged roles** — If a user's current roles still match the roles assigned by OIDC on their previous login (i.e., an administrator has not manually changed their roles), their roles are updated to reflect the current group mapping. This ensures that when the group-to-role mapping changes, returning users pick up the new roles automatically.
128
- - **Existing users with manually changed roles** — If an administrator has manually assigned the user different roles since their last OIDC login, the user's roles are left unchanged. OIDC will not overwrite a manual role assignment.
129
- - **Mapping removed or user's groups don't map** — If the `OIDC_GROUP_ROLE_MAP` is removed, a user's groups no longer match any mapping, or there are no default OIDC roles configured, the user keeps their last known roles.
126
+ - **New users** — Roles are always assigned on first login: group-mapped roles if a match is found, otherwise the configured default OIDC roles.
127
+ - **Existing users with a group mapping match** Roles are updated to reflect the current mapping. If a user's groups change between logins, their Strapi roles are updated accordingly.
128
+ - **Existing users with no group mapping match** — Roles are left unchanged, regardless of what the default OIDC roles are set to. Manually-assigned roles are never overwritten by a default fallback.
130
129
 
131
130
  ## Whitelist API
132
131
 
package/dist/server/index.js CHANGED
@@ -476,9 +476,9 @@ function resolveRolesFromGroups(userInfo, config2, availableRoles) {
476
476
  }
477
477
  async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
478
478
  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
479
- if (groupRoles.length > 0) return groupRoles;
479
+ if (groupRoles.length > 0) return { roles: groupRoles, fromGroupMapping: true };
480
480
  const oidcRoles = await roleService2.oidcRoles();
481
- return oidcRoles?.roles || [];
481
+ return { roles: oidcRoles?.roles || [], fromGroupMapping: false };
482
482
  }
483
483
  async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
484
484
  const defaultLocale = oauthService2.localeFindByHeader(
@@ -526,7 +526,12 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
526
526
  }
527
527
  await whitelistService2.checkWhitelistForEmail(email);
528
528
  const allRoles = await strapi.db.query("admin::role").findMany();
529
- const roles2 = await resolveRoles(userResponseData, config2, roleService2, allRoles);
529
+ const { roles: roles2, fromGroupMapping } = await resolveRoles(
530
+ userResponseData,
531
+ config2,
532
+ roleService2,
533
+ allRoles
534
+ );
530
535
  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
531
536
  let userCreated = false;
532
537
  let rolesUpdated = false;
@@ -535,16 +540,11 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
535
540
  user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
536
541
  userCreated = true;
537
542
  rolesUpdated = true;
538
- } else if (roles2.length > 0) {
539
- const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
543
+ } else if (fromGroupMapping && roles2.length > 0) {
540
544
  const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
541
- const newRoleIds = new Set(roles2);
542
- if (rolesChanged(currentRoleIds, newRoleIds)) {
543
- const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
544
- if (isOnDefaultRoles) {
545
- await updateUserRoles(user, currentRoleIds, roles2);
546
- rolesUpdated = true;
547
- }
545
+ if (rolesChanged(currentRoleIds, new Set(roles2))) {
546
+ await updateUserRoles(user, currentRoleIds, roles2);
547
+ rolesUpdated = true;
548
548
  }
549
549
  }
550
550
  const jwtToken = await oauthService2.generateToken(user, ctx);
package/dist/server/index.mjs CHANGED
@@ -470,9 +470,9 @@ function resolveRolesFromGroups(userInfo, config2, availableRoles) {
470
470
  }
471
471
  async function resolveRoles(userInfo, config2, roleService2, availableRoles) {
472
472
  const groupRoles = resolveRolesFromGroups(userInfo, config2, availableRoles);
473
- if (groupRoles.length > 0) return groupRoles;
473
+ if (groupRoles.length > 0) return { roles: groupRoles, fromGroupMapping: true };
474
474
  const oidcRoles = await roleService2.oidcRoles();
475
- return oidcRoles?.roles || [];
475
+ return { roles: oidcRoles?.roles || [], fromGroupMapping: false };
476
476
  }
477
477
  async function registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2) {
478
478
  const defaultLocale = oauthService2.localeFindByHeader(
@@ -520,7 +520,12 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
520
520
  }
521
521
  await whitelistService2.checkWhitelistForEmail(email);
522
522
  const allRoles = await strapi.db.query("admin::role").findMany();
523
- const roles2 = await resolveRoles(userResponseData, config2, roleService2, allRoles);
523
+ const { roles: roles2, fromGroupMapping } = await resolveRoles(
524
+ userResponseData,
525
+ config2,
526
+ roleService2,
527
+ allRoles
528
+ );
524
529
  const resolvedRoleNames = allRoles.filter((r) => roles2.includes(String(r.id))).map((r) => r.name);
525
530
  let userCreated = false;
526
531
  let rolesUpdated = false;
@@ -529,16 +534,11 @@ async function handleUserAuthentication(userService, oauthService2, roleService2
529
534
  user = await registerNewUser(oauthService2, email, userResponseData, config2, ctx, roles2);
530
535
  userCreated = true;
531
536
  rolesUpdated = true;
532
- } else if (roles2.length > 0) {
533
- const defaultRoleIds = new Set(user.roles.map((r) => String(r.id)));
537
+ } else if (fromGroupMapping && roles2.length > 0) {
534
538
  const currentRoleIds = new Set(user.roles.map((r) => String(r.id)));
535
- const newRoleIds = new Set(roles2);
536
- if (rolesChanged(currentRoleIds, newRoleIds)) {
537
- const isOnDefaultRoles = currentRoleIds.size === defaultRoleIds.size && [...currentRoleIds].every((id) => defaultRoleIds.has(id));
538
- if (isOnDefaultRoles) {
539
- await updateUserRoles(user, currentRoleIds, roles2);
540
- rolesUpdated = true;
541
- }
539
+ if (rolesChanged(currentRoleIds, new Set(roles2))) {
540
+ await updateUserRoles(user, currentRoleIds, roles2);
541
+ rolesUpdated = true;
542
542
  }
543
543
  }
544
544
  const jwtToken = await oauthService2.generateToken(user, ctx);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "strapi-plugin-oidc",
3
- "version": "1.6.2",
3
+ "version": "1.6.3",
4
4
  "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
5
5
  "strapi": {
6
6
  "displayName": "OIDC Plugin",